Flaws in password managers could have exposed credentials

If you thought that using a software-based password manager was a safe way to remember complex, secure passwords without them being stolen, you might want to think again.

Researchers from the University of California in Berkeley discovered major flaws in the five web-based managers they tested, including the popular LastPass. Luckily, four of the five developers of the password managers have since fixed the vulnerabilities, but it just goes to show that exploits can be found in 'secure' systems.

According to the researchers, the most serious flaw was found in LastPass, where an attacker could steal plain-text passwords from any site stored in a user's database. Through a compromised site and the victim's use of the "bookmarklet" feature - which enters passwords automatically into websites - malicious code makes stealing numerous passwords quite easy.

LastPass also contained another flaw the researchers discovered, which could have given attackers a user's encrypted password database, so long as the user's email address was known to the attacker. The hackers could then attempt to decrypt the database offline, with difficulty.

That said, the same flaw allowed attackers to discover all the sites a person was using LastPass with, which could lead to the attackers attempting to compromise the site to exploit the first flaw. LastPass has since addressed all the flaws, and does not believe they have ever been exploited in the wild.

The four other web-based managers tested - PasswordBox, RoboForm, My1login, and NeedMyPassword - also contained flaws of varying degrees of severity. All developers bar NeedMyPassword responded to the researchers contacting them, and have fixed the vulnerabilities.

While the researchers didn't test another of the major password managers, 1Password, there's no indication it was inherently more secure.

Using a password manager is still safer than using one password for all websites, as security-focused password managers are less likely to be seriously compromised than other websites that may not have as strong a focus on protecting their users. However, using a password manager does potentially expose a user to a single point of failure, which if successfully attacked could be disastrous.